almondoffsec - Network

To escape a locked-down Citrix environnement, team member SAERXCIT (https://twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge...

To escape a locked-down Citrix environnement, team member SAERXCIT (https://twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:

https://github.com/AlmondOffSec/OpenEdgeABL-Loader

@sigabrt @yeswehack This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from...

@sigabrt @yeswehack This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).

Team member @sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome:...

Team member @sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html

New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member @myst404...

New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member @myst404
https://offsec.almond.consulting/privilege-escalation-f5-CVE-2024-45844.html

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate @M4yFly 's GOAD VMs, so...

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate @M4yFly 's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:

https://github.com/AlmondOffSec/GOAD_hyperv

#GOAD #activedirectory #hyperv

How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member...

How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member @myst404

https://offsec.almond.consulting/deep-diving-f5-secure-vault.html

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members @drm and @myst404...

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members @drm and @myst404

https://offsec.almond.consulting/post-exploiting-f5-BIG-IP.html

Stoked to see #PassTheCert featured in ippsec ‘s solution to HackTheBox Authority🧑‍⚖️!Video:...

Stoked to see #PassTheCert featured in ippsec ‘s solution to HackTheBox Authority🧑‍⚖️!

Video: https://www.youtube.com/watch?v=7AF5riqLy-8

Find the tool here: https://github.com/AlmondOffSec/PassTheCert

We updated this old gem by @myst404 to include the new #GLPI decryption...

We updated this old gem by @myst404 to include the new #GLPI decryption algorithm.

https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html

Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or...

Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @drm introduces them through the lens of Python libraries.

https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html

To fix the bypass, @matrix hardened the CSP by restricting allowed domains to reCAPTCHA related...

To fix the bypass, @matrix hardened the CSP by restricting allowed domains to reCAPTCHA related ones.

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw

PoC: ```<iframe srcdoc="<body><script...

PoC:
```
<iframe srcdoc="<body><script src=&quot;https://www.gstatic.com/fsn/angular_js-bundle1.js&quot;></script><div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=eval(atob(`YWxlcnQodG9wLmxvY2F0aW9uKSAK`))');}}</div></body>"></iframe>bbbb
```

The final payload that worked for the web app and the electron-based one used a base64 encoded string within the eval method. An iframe tag...

The final payload that worked for the web app and the electron-based one used a base64 encoded string within the eval method. An iframe tag is used because the application is a SPA.

This version is vulnerable to sandbox escape with...

This version is vulnerable to sandbox escape with "{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}" (originally found by Gareth Heyes). However, this payload is known to bug if the eval contains a "." (dot character).

Original CSP included a "script-src https://gstatic.com 'unsafe-eval'" directive. gstatic CDN still hosts out of date...

Original CSP included a "script-src https://gstatic.com 'unsafe-eval'" directive. gstatic CDN still hosts out of date libraries such as AngularJS 1.3.20.

A few months ago, Cadence Ember found an HTML injection in the matrix-react-sdk, mostly used by the @element client. The CVE advisory...

A few months ago, Cadence Ember found an HTML injection in the matrix-react-sdk, mostly used by the @element client. The CVE advisory stated that the implemented Content-Security-Policy mitigated the risk of XSS. So, team member S1m poc'ed a bypass. 🧵

A look back at CVE-2020-0911, a Windows Installer EoP found by jonasLyk with team member...

A look back at CVE-2020-0911, a Windows Installer EoP found by jonasLyk with team member @clavoillotte:
https://offsec.almond.consulting/windows-msiexec-eop-cve-2020-0911.html

Ghostscript RCE CVE-2023-28879 can impact many applications processing images and PDF files.Discovery and exploitation write-up by team...

Ghostscript RCE CVE-2023-28879 can impact many applications processing images and PDF files.
Discovery and exploitation write-up by team member @sigabrt : https://offsec.almond.consulting/ghostscript-cve-2023-28879.html